The Office of the Comptroller of the Currency, an agency within the Treasury Department, cited “serious and longstanding deficiencies and unsafe or unsound practices” in Citibank’s risk management and data governance.
“The OCC took these actions based on the bank’s longstanding failure to establish effective risk management and data governance programs and internal controls,” the agency said in a release Wednesday.
The penalty comes in conjunction with a separate but related enforcement action by the Federal Reserve Board against Citibank’s parent company, Citigroup (. The board issued a cease and desist order requiring Citigroup to improve its risk management practices, including in the areas of compliance risk management, data quality management and internal controls. )
The Federal Reserve Board noted that the action comes after Citigroup failed to adequately address concerns related to risk management and controls that it previously identified in 2013 and 2015.
Citi said in a statement Wednesday it is “fully committed” to addressing regulators’ concerns.
“Citi has significant remediation projects underway to strengthen our controls, infrastructure and governance,” Citi said. “These projects are each multi-year and have received significant investment. However, while we have made progress in each of these areas, we recognize that substantial improvement is still required to meet the standards we have set for ourselves and that our regulators expect of us.”
The bank said it plans to invest more than $1 billion this year in its risk management and controls efforts, and has hired a chief administrative officer to centralize management of the program and ensure its completion.
The Federal Reserve Board’s order marks a new responsibility for Jane Fraser, who is set to take over as Citigroup’s CEO from Michael Corbat in February. It also comes as Citi, like many banks, is grappling with the economic uncertainty and other fallout caused by the coronavirus pandemic.
Per the order, Citi’s board will have 120 days to submit a plan for how it will oversee the required improvements, including how it will hold senior management accountable for executing remediation plans and how it will ensure senior managers’ incentive pay is aligned with risk management incentives. In that time, the bank must also do a “gap analysis” of the changes necessary to its enterprise-wide risk management framework and internal controls systems with regard to three areas — capital planning, liquidity risk management and compliance risk management — before making a plan to address those gaps.
The order also lays out requirements for improving Citi’s data quality management practices and compliance risk management program.